Sqreen, profile picture
Uploaded bySqreen
75 views

Protecting against injections at scale

The document discusses the protection against injection vulnerabilities, focusing on XSS, SQL, and shell injections, which can change the semantics of contexts, allowing attackers to exploit them. It emphasizes the importance of context-aware detection methods over pattern-based approaches to effectively secure applications at scale. The content encourages testing and highlights job opportunities related to this field.

Embed presentation

Download to read offline
Protecting against injections (at scale) Beerump - 2019/05/29
Example: XSS (forget beerump)
XSS when: user parameter is not escaped OK if param in: [a-z0-9] ✅ Cannot change HTML semantics Potential exploit if param has: [<>”’] ❌ Can change HTML semantics XSS (reflected)
rendered page uses user supplied data that can inject HTML The vulnerability is here when
How can we detect? User data + Vulnerable template data=%3Cscript%3Ealert(0);%3C/script%3E 1 2 div script alert(0) 3 div !{user_data}
In practice, there is a vulnerability if... Arbitrary data Is used in a context Data can change the context’s semantics Context with data is interpreted later User parameters HTML template <script> → in a web browser
User input Context Semantics Interpreted Examples SQL injection SQL query ‘ OR 1=1 -- SQL database XSS HTML <script>alert(0); Web browser MongoDB injection MongoDB query { $gte: 0 } MongoDB server Shell injection Shell command “; nc -e /bin/sh Shell :)
And in practice? (I mean, real world)
Most of these are open source Super easy to test: ● “pure” code (no I/O involved) ● Tests are open source Cannot proactively find issues ... XSS: HTML parser SQL injection: SQL parser Shell injection: shell parser MongoDB injection: MongoDB parser ... Need semantics to understand the context
At scale: 6 runtimes many frameworks Track user inputs Have reliable parsers Protect from injection attacks
We don’t need patterns → only based on context semantics
Generic algorithm against injection Not behavior based Need to have: Context awareness User parameter tracking Can detect attacks as they occur Let’s recap
Questions :)? Please, test! → https://bit.ly/2I3SUql
We’re hiring!

More Related Content

PPT
ASP.net MVC CodeCamp Presentation
bybuildmaster
 
PPTX
Dzhengis 93098 ajax - security
bydzhengo44
 
PDF
Do we need a bigger dev data culture
bySimon Dittlmann
 
PPTX
Error codes & custom 404s
byRonan Dunne, CEH, SSCP
 
PPTX
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
PPTX
Introduction to CodeIgniter
byPiti Suwannakom
 
PPTX
Protecting your data from SQL Injection attacks
byKevin Alcock
 
PPTX
Cross site scripting
byDilan Warnakulasooriya
 
ASP.net MVC CodeCamp Presentation
bybuildmaster
 
Dzhengis 93098 ajax - security
bydzhengo44
 
Do we need a bigger dev data culture
bySimon Dittlmann
 
Error codes & custom 404s
byRonan Dunne, CEH, SSCP
 
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
Introduction to CodeIgniter
byPiti Suwannakom
 
Protecting your data from SQL Injection attacks
byKevin Alcock
 
Cross site scripting
byDilan Warnakulasooriya
 

What's hot

PPTX
Web Hacking Intro
byAditya Kamat
 
PPTX
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
byDivyanshu
 
PPTX
Asp.net mvc
byerdemergin
 
PPT
Pentest Application With GraphQL | Null Bangalore Meetup
byDivyanshu
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PDF
Beyond HTML: Tools for Building Web 2.0 Apps
byMarcos Caceres
 
PPTX
Net core performance
byChamithSaranga
 
PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
PPT
2310 b 08
byKrazy Koder
 
PPTX
Ajax
byRajesh Khanna
 
PPT
Ajax
byMahesh Shitole
 
PPT
2310 b 16
byKrazy Koder
 
PDF
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
PPTX
State management
byMuhammad Amir
 
PPTX
Ajax
byRajesh Khanna
 
PDF
The practice of web application penetration testing
by_U2_
 
PPT
MVC ppt presentation
byBhavin Shah
 
PPTX
Having fun with code igniter
byAhmad Arif
 
PDF
SQL Injection Tutorial
byMagno Logan
 
PPTX
Building the an End-to-End ASP.NET MVC 4, Entity Framework, HTML5, jQuery app...
byDan Wahlin
 
Web Hacking Intro
byAditya Kamat
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
byDivyanshu
 
Asp.net mvc
byerdemergin
 
Pentest Application With GraphQL | Null Bangalore Meetup
byDivyanshu
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
Beyond HTML: Tools for Building Web 2.0 Apps
byMarcos Caceres
 
Net core performance
byChamithSaranga
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
2310 b 08
byKrazy Koder
 
Ajax
byRajesh Khanna
 
Ajax
byMahesh Shitole
 
2310 b 16
byKrazy Koder
 
Javacro 2014 Spring Security 3 Speech
byFernando Redondo Ramírez
 
State management
byMuhammad Amir
 
Ajax
byRajesh Khanna
 
The practice of web application penetration testing
by_U2_
 
MVC ppt presentation
byBhavin Shah
 
Having fun with code igniter
byAhmad Arif
 
SQL Injection Tutorial
byMagno Logan
 
Building the an End-to-End ASP.NET MVC 4, Entity Framework, HTML5, jQuery app...
byDan Wahlin
 

Similar to Protecting against injections at scale

PPT
CROSS SITE SCRIPTING.ppt
byyashvirsingh48
 
PDF
Cross-site Scripting
byAndrew Kerr
 
PPTX
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
PDF
XSS.pdf
byOkan YILDIZ
 
PDF
XSS.pdf
byOkan YILDIZ
 
PPTX
Cross Site Scripting (XSS)
byBarrel Software
 
PDF
Complete xss walkthrough
byAhmed Elhady Mohamed
 
PPTX
04. xss and encoding
byEoin Keary
 
PDF
Application security 101
byVlad Garbuz
 
PDF
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
byIRJET Journal
 
PPT
Protecting Your Web Site From SQL Injection & XSS
byskyhawk133
 
PPTX
Cross site scripting
byBilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
PDF
Non-Esoteric XSS Tips & Tricks
byMiroslav Stampar
 
PDF
Xss 101 by-sai-shanthan
byRaghunath G
 
PDF
Xss 101
byn|u - The Open Security Community
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
PPT
Cross Site scripting Attacks - by Adam Nurudini
byAdam Nurudini
 
PPTX
QA Lab: тестирование ПО. Владимир Гарбуз: "Application Security 101"
byGeeksLab Odessa
 
PPTX
Web Hacking Series Part 4
byAditya Kamat
 
PPTX
Vulnerabilities in Web Applications
byVenkat Ramana Reddy Parine
 
CROSS SITE SCRIPTING.ppt
byyashvirsingh48
 
Cross-site Scripting
byAndrew Kerr
 
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
XSS.pdf
byOkan YILDIZ
 
XSS.pdf
byOkan YILDIZ
 
Cross Site Scripting (XSS)
byBarrel Software
 
Complete xss walkthrough
byAhmed Elhady Mohamed
 
04. xss and encoding
byEoin Keary
 
Application security 101
byVlad Garbuz
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
byIRJET Journal
 
Protecting Your Web Site From SQL Injection & XSS
byskyhawk133
 
Cross site scripting
byBilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Non-Esoteric XSS Tips & Tricks
byMiroslav Stampar
 
Xss 101 by-sai-shanthan
byRaghunath G
 
Xss 101
byn|u - The Open Security Community
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
Cross Site scripting Attacks - by Adam Nurudini
byAdam Nurudini
 
QA Lab: тестирование ПО. Владимир Гарбуз: "Application Security 101"
byGeeksLab Odessa
 
Web Hacking Series Part 4
byAditya Kamat
 
Vulnerabilities in Web Applications
byVenkat Ramana Reddy Parine
 

More from Sqreen

PDF
Serverless security - how to protect what you don't see?
bySqreen
 
PDF
Writing a Python C extension
bySqreen
 
PDF
Api days 2018 - API Security by Sqreen
bySqreen
 
PDF
NoSQL Injections in Node.js - The case of MongoDB
bySqreen
 
PDF
Application Security from the Inside - OWASP
bySqreen
 
PDF
Tune your App Perf (and get fit for summer)
bySqreen
 
PDF
Instrument Rack to visualize
 Rails requests processing
bySqreen
 
PDF
Ruby on Rails security in your Continuous Integration
bySqreen
 
Serverless security - how to protect what you don't see?
bySqreen
 
Writing a Python C extension
bySqreen
 
Api days 2018 - API Security by Sqreen
bySqreen
 
NoSQL Injections in Node.js - The case of MongoDB
bySqreen
 
Application Security from the Inside - OWASP
bySqreen
 
Tune your App Perf (and get fit for summer)
bySqreen
 
Instrument Rack to visualize
 Rails requests processing
bySqreen
 
Ruby on Rails security in your Continuous Integration
bySqreen
 

Recently uploaded

PDF
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
PPTX
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
PPT
Presentation on TCL/TK scripting language
byBimal Jain
 
PDF
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
PPTX
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PDF
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
PDF
Data Integration with Salesforce Bootcamp
byDele Amefo
 
PDF
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
PDF
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
PDF
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
PDF
Presentation Empowerment Technology in ICT
byoryoseiii
 
PDF
DSD-INT 2025 Century-Scale Impacts of Sediment-Based Coastal Restoration unde...
byDeltares
 
PPTX
CRM Development Company | Custom CRM Development Services
byyugababu033
 
PDF
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
PPTX
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
PDF
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
PDF
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
PDF
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
PDF
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
Presentation on TCL/TK scripting language
byBimal Jain
 
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
Data Integration with Salesforce Bootcamp
byDele Amefo
 
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
Presentation Empowerment Technology in ICT
byoryoseiii
 
DSD-INT 2025 Century-Scale Impacts of Sediment-Based Coastal Restoration unde...
byDeltares
 
CRM Development Company | Custom CRM Development Services
byyugababu033
 
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 

Protecting against injections at scale

  • 1.
    Protecting against injections (atscale) Beerump - 2019/05/29
  • 2.
  • 3.
    XSS when: userparameter is not escaped OK if param in: [a-z0-9] ✅ Cannot change HTML semantics Potential exploit if param has: [<>”’] ❌ Can change HTML semantics XSS (reflected)
  • 4.
    rendered page usesuser supplied data that can inject HTML The vulnerability is here when
  • 5.
    How can wedetect? User data + Vulnerable template data=%3Cscript%3Ealert(0);%3C/script%3E 1 2 div script alert(0) 3 div !{user_data}
  • 6.
    In practice, thereis a vulnerability if... Arbitrary data Is used in a context Data can change the context’s semantics Context with data is interpreted later User parameters HTML template <script> → in a web browser
  • 7.
    User input Context Semantics Interpreted Examples SQL injection SQLquery ‘ OR 1=1 -- SQL database XSS HTML <script>alert(0); Web browser MongoDB injection MongoDB query { $gte: 0 } MongoDB server Shell injection Shell command “; nc -e /bin/sh Shell :)
  • 8.
    And in practice? (Imean, real world)
  • 9.
    Most of theseare open source Super easy to test: ● “pure” code (no I/O involved) ● Tests are open source Cannot proactively find issues ... XSS: HTML parser SQL injection: SQL parser Shell injection: shell parser MongoDB injection: MongoDB parser ... Need semantics to understand the context
  • 10.
    At scale: 6 runtimes manyframeworks Track user inputs Have reliable parsers Protect from injection attacks
  • 11.
    We don’t needpatterns → only based on context semantics
  • 12.
    Generic algorithm againstinjection Not behavior based Need to have: Context awareness User parameter tracking Can detect attacks as they occur Let’s recap
  • 13.
    Questions :)? Please, test!→ https://bit.ly/2I3SUql
  • 14.